Introduction

This tutorial explains all about X.509 certificates and its current formats and shows how it can be implemented in .NET environment.

Background

A public key certificate, usually just called a digital certificate or certs is a digitally signed document that is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. This creates a trust relationship between two unknown entities. The CA is the Grand Pooh-bah of Validation in an organization, which everyone trusts, and in some public key environments, no certificate is considered valid unless it has been attested to by a CA. Example of a popular CA’s authority is http://www.verisign.com/ .

Certificates can be issued for a variety of functions such as Web user authentication, Web server authentication, secure e-mail (Secure/Multipurpose Internet Mail Extensions, or S/MIME), and Internet Protocol security (IPSec), Transport Layer Security (TLS), and code signing. For example, when using the Internet for online banking, it is important to know that your Web browser is communicating directly and securely with your bank's Web server. Your Web browser must be able to achieve Web server authentication before a safe transaction can occur. Microsoft Internet Explorer uses Secure Sockets Layer (SSL) to encrypt messages and transmit them securely across the Internet, as do most other modern Web browsers and Web servers.

An X.509 certificate includes the public key and information about the person or entity to whom the certificate is issued, information about the certificate, plus optional information about the certification authority (CA) issuing the certificate.

It is a public key exchange framework and OSI standard specified by ISO/IEC 9594-8.

Formats of X.509 Certificates:

DER Encoded Binary X.509 (.cer)

Base64 Encoded X.509 (.cer)

PKCS#7 / Cryptographic Message Syntax Standard (.p7b)

PKCS#12 / Personal Information Exchange (.pfx)

DER Encoded Binary X.509

DER (Distinguished Encoding Rules) for ASN.1, as defined in ITU-T Recommendation X.509, is a more restrictive encoding standard than the alternative BER (Basic Encoding Rules) for ASN.1, as defined in ITU-T Recommendation X.209, upon which DER is based. Both BER and DER provide a platform-independent method of encoding objects (such as certificates and messages) for transmission between devices and applications. During certificate encoding, most applications use DER because a portion of the certificate (the Certification Request's Certification Request Info) must be DER-encoded to be signed. This format might be used by certification authorities that are not on Windows2000 servers, so it is supported for interoperability. DER certificate files use the .cer extension.

Base64 Encoded X.509

This is an encoding method developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME) which is a popular, standard method for transferring binary attachments over the Internet. Base64 encodes files into ASCII text format, making corruption less likely as the files are sent through Internet gateways, while S/MIME provides some cryptographic security services for electronic messaging applications, including non-repudiation of origin using digital signatures, privacy and data security using encryption, authentication, and message integrity. The MIME (Multipurpose Internet Mail Extensions) specification (RFC1341 and successors) defines a mechanism for encoding arbitrary binary information for transmission by electronic mail. Because all MIME-compliant clients can decode Base64 files, this format might be used by certification authorities that are not on Windows2000 servers, so it is supported for interoperability. Base64 certificate files use the .cer extension.

Cryptographic Message Syntax Standard (PKCS#7)

The PKCS#7 format enables the transfer of a certificate and all the certificates in its certification path from one computer to another or from a computer to removable media. PKCS#7 files typically use the .p7b extension and are compatible with the ITU-TX.509 standard. PKCS#7 allows for attributes such as countersignatures to be associated with signatures. Attributes such as signing time can be authenticated along with message content. For information on PKCS #7 see ww.rsa.com.

Personal Information Exchange (PKCS#12)

The Personal Information Exchange format (.pfx, also called PKCS#12) enables the transfer of certificates and their corresponding private keys from one computer to another or from a computer to removable media. PKCS#12 (Public Key Cryptography Standard#12) is an industry format that is suitable for transport or backup and restoration of a certificate and its associated private key. This can be between products from the same vendor or different vendors. To use the PKCS#12 format, the cryptographic service provider (CSP) must recognize the certificate and keys as exportable. If a certificate was issued from a Windows2000 certification authority, the private key for that certificate is only exportable if one of the following is true: The certificate is for EFS (encrypting file system) or EFS recovery. The certificate was requested through the Advanced Certificate Request certification authority Web page with the Mark keys as exportable check box selected. Because exporting a private key might expose it to unintended parties, the PKCS#12 format is the only format supported in WindowsXP for exporting a certificate and its associated private key. For information on PKCS #12 see ww.rsa.com.

Let us make a new X.509 certificate and implement in .NET environment. However remember .NET 1.0 / 1.1 supports only DER Encoded Binary X.509 format only. (However at the bottom of article I will told you a way to use latest certificate formats such as PKSC #12 (.pfx) in .NET).

The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standards. The certificates are encoded using OSI ASN.1 DER. Some primary fields in X.509 certificate are indicated below:

Field

Meaning

Version

Which version of X.509

Serial number

This number plus the CA’s name uniquely identifies the certificate

Signature algorithm

The algorithm used to sign certificate

Issuer

X.500 name of CA

Validity Period

The starting and ending period

Subject name

The entity whose key being certified

Public Key

The subject’s pubic key and ID of algorithm using it.

Microsoft provides many security tools in .NET SDK. Most of them are consoled based utilities applications. That is:

Permission and assembly management tools

Certificate management tools

We are concerned with only certificate management tools. They are

Application

Meaning (See MSDN for more detail options of each application)

Makecert

Generate a X.509 certificate for testing purpose only

Certmgr

Assembles certificates into CTL (certificate trust list) and can also be used for revoking lists (CRLs).

Chktrust

Verifies the validity of a file signed with an X.509 certificate

Cert2spc

Creates, for test purposes only, a Software Publisher's Certificate (SPC) from one or more X.509 certificates.

Let us create a DER based X.509 certificate (.cer) with following command on the Visual Studio 03 command prompt.

makecert -sk Adnan -n "CN=Adnan Company" Adnan.cer

-sk is Subject name

–n is Specifies the subject's key container location, which contains the private key. If a key container does not exist, it will be created.

This will create a X.509 certificate (Adnan.cer) in personal folder directory of user currently logged. Now we can retrieve its properties using System.Security.Cryptography.X509Certificates class. The Certificate is also included in source code.

Now we will test this certificate and creates a Software Publisher's Certificate (SPC) file (PCKS # 7) from following command on VS command prompt.

cert2spc Adnan.cer Adnanspc.spc

This will create (Adnanspc.spc) file in personal folder directory of user currently logged. However this is for test purposes only. You can obtain a valid SPC from a Certification Authority such as VeriSign or Thawte. The spc file is included in source code.

Use Chktrust to checks the validity of a file signed with an Authenticode certificate.

chktrust signedfile

The signed file could be any valid application (exe). If application does not have a valid

signature, the tool displays the Security Warning dialog box. The dialog gives you the option

to install and run the PE file even though an Authenticode signature could not be found.

You can use PKCS #12 (.pfx) certificates in .NET using latest CAPICOM wrappers available from Microsoft site http://www.microsoft.com/msdownload/platformsdk/sdkupdate/psdkredist.htm. Search MSDN 2004 in Platform SDK -> Security for article “PKCS #12 File Types: Portable Protected Keys in .NET” or see online www.msdn.microsoft.com for detail. The article shows how to use CAPICOM to access PKSC #12 files in C# code however it can be easily converted into Vb .NET code.

We have seen what amazing power .NET have for management of certificates.

I m try to put signed data inside a signatura detached,
is there any way to do this?

In Msdn docs http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
Adding content to the encoded message.
But I wanted to add the message and not make a message only to the content.

I have a signed message .p7s detached. I only want to make this attached.

On http://msdn.microsoft.com/en-us/libr...(v=VS.85).aspx
CryptMsgControl Function said
The control operations provided by this function are used for decryption,
signature and hash verification, and the addition and deletion of
certificates, certificate revocation lists (CRLs), signers, and
unauthenticated.
But not, EncapsulatedContentInfo...

Hi Angelo,
Thanks for considering me, actually i am already performing my services as Team Lead in a reputed software organization, but tell me detail of of your solution what you want to accomplish, then we will move along.

I want to sign my project assembly files with some private key and i'm using x509certificate class. I need this certification to be valid permenently, what should i do? we don't have access to edit the validation period in the certification directly, right?
any ideas????? Should i use another approach for my aim? What?
I appreciate any ideas...

I am developing software called report mailer in that what i want is that
i want to sign the attachment and send to particular client by using Microsoft Cryptography. but i am not getting how to do it.

This article 'lifts' (plagiarizes) much text directly from the Microsoft sites (for just one example, google up the following text from this article: "A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority".

This article 'lifts' (plagiarizes) much text directly from the Microsoft sites (for just one example, google up the following text from this article: "A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority".

Shameless.

Yep, a LOT of the articles here are totally stolen from Microsoft examples. That wouldn't be so bad if they added something to the example, explained it more maybe or extended the example, but mostly they just muddy the waters with poor English and a poor understanding of the concept being explained.

The reason for this is these people put on their resumes that they've had x number of articles published, so they cheat to inflate that number. It only comes back to bite them in the rear though. Like the "Dr." that applied for a job where I work and when we looked up his "college" it turned out it was a diploma mill that had been shut down by the federal government. Needless to say he didn't get the job.

What the hell did you mean by "these people" ? The world could have been a better place if racist did not exist or died once and for all for good.
It may be copied and proper references may not be given, but this issue could be treat with addressing to that perticular individual, not refereing by "these people".

I have a problem when people unduly invoke "racism" for inane reasons. Its like the boy who cried wolf...calling people racist is so common these days its HARD TO LET GO OF THE ISSUE, and LET IT BE, leaving you with the only option of ignoring it (which doesn't really solve the problem when true racism rears its ugly head...much like those real wolves that ate the poor little boy.) Those of us who would prefer to move on a one population of humanity can't, because were constantly being dragged back into the fight by everyone using the term "racism" in improper situations.

Use of the term "these people" does not intrinsically mean someone is being racist. In this particular case, I simply understood it to mean "the kind of lazy, sloppy people who plagiarize content to throw together a shoddy article", which has NOTHING to do with race. It doesn't matter if the guy is white, black, brown, yellow, red, or pink with blue polka-dots...a crappy, plagiarized article is a crappy, plagiarized article. White people do it. Black people do it. Brown, yellow, and red people do it. People of every color, including those pink people with blue polka-dots, all have the same capacity to be lazy oafs who can't craft useful, beneficial content, and plagiarize from other sources.

Don't drag race into an issue unless it is UNDENIABLY CLEAR that someone is being fundamentally racist, and deserves to be called out. Every time you DO drag race into an issue, you just breathe new life into racism, and defeat your (supposed) goal of a planet not plagued by pointless skin-color-driven hate.

WELL SAID! I understood your comments from the first; the only ones taking offense are THESE PEOPLE who plagiarize etc.. it is bothersome that when they are caught and called out there is that race card.
I would rather they FESSED UP and just said hey I found this article here and here and I put these different articles together here to provider a broader spectrum of this subject in this article. Or those articles are not clear or easy to understand - so I simplified it and broke it down for you..